By Jeff Holowaychuk and Abigail Choi
From February 1, 2023, public bodies in BC will be required to comply with the mandatory privacy breach notification and privacy management program provisions of the Freedom of Information and Protection of Privacy Act. These new provisions were part of a package of FIPPA amendments introduced late last year which are only now slated to become effective. Public bodies will need to act quickly to understand their obligations and be ready to comply early next year.
Mandatory Privacy Breach Notification
Under the new provisions, public bodies that experience a privacy breach that could reasonably be expected to result in significant harm to an individual are required to notify both the affected individual and the BC Privacy Commissioner of the breach without unreasonable delay.
A “privacy breach” is the theft or loss, or the collection, use or disclosure of personal information that is in the custody or under the control of a public body that is not authorized under FIPPA. Breaches that could reasonably be expected to result in significant harm to the individual include those that involve identity theft or significant:
- bodily harm;
- damage to reputation or relationships;
- loss of employment, business or professional opportunities;
- financial loss;
- negative impact on a credit report; or
- damage to, or loss of, property.
However, a public body is not required to notify an affected individual if the notification could reasonably be expected to result in immediate and grave harm to, or otherwise threaten, the individual’s safety, physical health or mental health.
Privacy Breach Notification Information Requirements
As part of the mandatory breach notification provisions coming into force, the government has also proposed revisions to the FIPPA Regulations to set out the details that must be included in privacy breach notifications. Notifications to affected individuals must include the following information:
- the name of the public body;
- the date on which the privacy breach came to the attention of the public body;
- a description of the privacy breach including, if known, the date on which or the period during which the privacy breach occurred and a description of the personal information involved in the privacy breach;
- confirmation that the Commissioner has been or will be notified of the privacy breach;
- contact information for a person who can answer questions about the privacy breach on behalf of the public body;
- a description of steps, if any, that the public body has taken or will take to reduce the risk of harm to the affected individual; and
- a description of steps, if any, that the affected individual could take to reduce the risk of harm that could result from the privacy breach.
Notifications to the Privacy Commissioner must include information similar to that described above, together with an estimate of the number of affected individuals.
Privacy Management Programs
In addition to mandatory breach notification, public bodies will also be required to develop a privacy management program that aligns with the directions of the responsible minister.
To date, the minister has not yet released any directions relating to privacy management programs. As a result, the scope and scale of activities that public bodies will need to engage in to develop a compliant privacy management program remains unknown.
Further information about the new privacy management program requirements, our previous article on the topic can be found here.
[Update – Directions relating to privacy management programs have now been released and will come into effect on February 1, 2023. See our blog post on that topic here.]